• Nginx配置4-Https网站设置


    Nginx配置4 Https网站设置

    1 检查是否支持ssl模块

    [root@nginx-node01 1.16.0]# ./nginx -V 2>&1 | sed 's/ /
    /g' |grep ssl
    --with-http_ssl_module
    

    如果nginx没有http_ssl_module支持,则需要在编译时加入ssl支持,具体参考:Shell编译安装nginx

    2 配置Server

    公私钥、CA证书生成中制作好的nginx-node01.crt证书文件和nginx私钥文件放入ssl目录

    # HTTPS server
    
     #增加HTTP强制跳转功能
     server{    
     	listen 80;    
     	server_name www.kov.com;   
        return  301 https://$server_name$request_uri;
    }
    
    server {
        listen       443 ssl;
        server_name  www.kov.com;
    
        ssl_certificate      ssl/nginx-node01.crt;
        ssl_certificate_key  ssl/nginx-node01.key;
    
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
    
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
    
        location / {
            root   html;
            index  index.html index.htm;
        }
    }
    

    3 客户端设置域名

    [root@ca CA]# echo 192.168.56.104 www.kov.com >> /etc/hosts
    
    [root@ca CA]# cat /etc/hosts
    ##
    # Host Database
    #
    # localhost is used to configure the loopback interface
    # when the system is booting.  Do not change this entry.
    ##
    127.0.0.1	localhost
    255.255.255.255	broadcasthost
    ::1             localhost 
    fe80::1%lo0	localhost
    ......
    192.168.56.104 www.kov.com
    

    4 客户端curl测试

    客户端添加证书前

    [root@ca CA]# curl https://www.kov.com           
    curl: (60) Peer's Certificate issuer is not recognized.
    More details here: http://curl.haxx.se/docs/sslcerts.html
    
    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.
    

    客户端添加证书后

    [root@ca CA]# curl --cacert cacert.pem https://www.kov.com
    <!DOCTYPE html>
    <html>
    <head>
    <title>Welcome to www.kov.com!</title>
    </head>
    <body>
    <h1>Welcome to nginx ssl!</h1>
    <p><em>Thank you for using nginx.</em></p>
    </body>
    </html>
    

    5 客户端浏览器验证

    1. NET::ERR_CERT_AUTHORITY_INVALID错误

    解决方法:在keychain中将证书改为信任(下图)

    2. NET::ERR_CERT_COMMON_NAME_INVALID错误

    解决方法:参考《公私钥、证书生成》CA签署证书中补充,重新CA签署多域名证书后,重新在keychain中将证书改为信任。

  • 相关阅读:
    II第十二章:(1)SpringCloud Alibaba简介
    II第十三章:(1)SpringCloud Nacos注册中心和配置中心
    第二章:MQTT协议原理
    MQTT【目录】
    Linux系统解析域名的先后顺序【转帖】 沐春风
    软件产品规格说明书为什么是软件缺陷存在最多的地方
    软件缺陷
    动态测试
    因果图
    因果图中的4种基本关系
  • 原文地址:https://www.cnblogs.com/elfcafe/p/13286318.html
Copyright © 2020-2023  润新知